Because malware sucks

abuse.ch is operated by a random swiss guy fighting malware for non-profit,
running a couple of projects helping internet service providers and network operators protecting
their infrastructure from malware. IT-Security researchers, vendors and law enforcement agencies rely
on data from abuse.ch, trying to make the internet a safer place.

> Blog

End of March 2018, abuse.ch launched it's most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. The project is a huge success: with the help of the community, URLhaus was able to takedown almost 100,000 malware distribution sites within just 10 months! During that time, 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from malware campaigns.
[read on]

In March 2018, I've launched my most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. In the first half year, 234 users have contributed and shared more than 50'000 malware distribution sites on URLhaus. That's amazing! But URLhaus does not only collect malware URLs: The project also reports active malware distribution sites to blacklist providers like Spamhaus, SURBL and Google Safe Browsing.Since June 2018, URLhaus is also sending out automated abuse reports to the respective network owners by using Abuseix Abuse Contact DB.
[read on]

Keeping the Internet hygiene good can be challenging. There is a lot of badness around, harming not only internet users, organisations or corporate networks but also services that rely on the internet and sometimes even the integrity and stability of the internet itself. It is therefore essential to keep a certain level of internet hygiene. Among other things, internet services providers (ISPs) and national computer emergency response teams (CERTs) try to achieve that by collecting information about infected computers (so-called "bots") in order to notify the associated broadband subscriber or network owner about compromised machines.
[read on]

In August 2017, I've blogged about Adwind, a cross-platform RAT written in Java that is also known as "jRAT" and "JSocket". The main infection vector for Adwind is via spoofed email. The attacker doesn't have to care about the recipients operating system (OS): Adwind works on Windows, macOS and Linux. Recently, security researchers and AV vendors have published a handful interesting blog posts on Adwind. The recent uprise in Adwind campaigns seems to be related to Qrypter: a Malware-as-a-Service (MaaS) platform @Angelill0 blogged about in December 2017. The Qrypter MaaS platform is hosted in the Tor network, which makes it more resilient against takedowns and actions from law enforcement (LEA).
[read on]

It is fair to say that 2017 was the year of cryptocurrencies. In 2017, many cryptocurrencies went through the roof. Let's take Bitcoin (BTC) as an example: 1.0 BTC got traded for about 1,000 USD in beginning of 2017. In December 2017, one Bitcoin was more than 18,000 USD worth. An increase of 1800%! It was a very successful year for traders speculating on cryptocurrencies, and even more for cybercriminals: Cryptocurrencies like Bitcoin are the #1 means of payment when it comes to extortions. In the past years, the amount of extortions in cyberspace has grown rapidly. The most popular (and likely most easiest) way to extort money from not only random internet users but also small and medium businesses (like webshops) is DDoS extortion (DD4BC, Armada collective, you name it) and Ransomware (Crypt0L0cker, Locky, Cerber etc). Many of them demand Bitcoins as a ransom.
[read on]